Official Phoenix Discussion

Official discussion thread for Phoenix. Please do not post any spoilers or big hints.

anyone find any foothold

I found a vuln but it’s slow and i am not sure if it will merit any fruits

Was able to laterally move but sadly didn’t get any more privileges. Will keep hammering

Let me preface with a warning that I’m new and still learning but here are my thoughts/experiences:

Comment fields seem to be sanitized. Looks like you may need to have author privs.
My only thought is to throw rockyou at ph*ix and jsth but didn’t have luck after a couple hours.

Please share your opinions on my methodology and what you guys are thinking

Oh thats why the servers are so slow lol. I don’t think you have to brute force any logins. Enumeration of the running application should get you the foothold.

I didn’t get any further than that though.

Yeah, no brute forcing needed. But this is horribly slow, even when you know what info you’re after. I had to give up because things were taking too long trying to get some specific info. I wonder if I’m missing a better technique.

Got admin credential, but blocked by 2fa.

1 Like

Same here, I even got the OTP but it doesn’t work :man_shrugging:

Same point…
Got 3 creds / 2 require 2FA / 1 is not that interesting
Can’t yet bypass 2FA though… I think I know how to do it … but if anybody has any idea how to speed up the enumeration process…

… it’s so slow …

Same. i’ve verified that the http time skew is within tolerance.

After spending hours to find t…p, I did find it (in a weird place btw). but I systematically get ‘invalid code’ when I try to use it…
My box is in sync with the target
This is starting to bore me a great deal now… If someone has any idea?

Rooted. Thx a lot to @timrashed for your help

OTP seems to be a rabbit hole, which I think is a shame, it was a nice way to get in


Finally rooted the box, thanks @clure for the helps.

User is really hard for me. Root requires some enum but it’s easy to exploit.

Check carefully where the 2FA is used.


Great hint! thanks.

Finally got foothold. annoying 2FA (again).

1 Like

Thx for the HInt Guys!

im stuck on the 2FA part. i read in the treath that the 2FA/OTP is a dead end?

any pointers as to how to proceed? i have the admin creds, but cannot bypass 2FA.


stuck on 2fa part too, any nudge to right direction would be appreciated!

Got admin credentials for the site, but I am stuck on the 2FA part. Could someone give me a nudge please?

Been doing some enumeration using that one vulnerability, but I feel like I’m going down a rabbit hole.

Rooted the box, definitely a lot of steps to this one and it is tricky.

Foothold: Enumerate the app very thoroughly, check as much about the app as possible. A few specific things will stick out. Some tools may not tell you everything. These will help you get by 2FA, and other things that come later.
User: Once you actually get a shell, thoroughly enumerate the box you should noticed a few things that will stick out. Check this against a file that might be hindering you from straight up switching to the user right off the bat.
Root: This one is really interesting, it’s definitely a twist on an old classic. You may want to get to the core of things.